Container Image Scanning
Image scanning is one of the initial, yet most crucial step towards building the successful Container Security Program. Most of the product-based companies have already understood the importance ofit and have baked the “Image Scanning” as essential part of their CI/CD pipelines.
Image scanning lets you scrutinize the image contents and detects security issues like vulnerabilities in your container image.
I believe in concept of learning by doing. So, I would first start with the easy concepts for your understanding and we will then slowly transition to the advance concepts.
Some of the usual terms that you will hear a lot in container world would be Images, Registry, Container and Orchestrator. So, let’s start with some easy terminologies before I jump directly into Image scanning. (You can skip the next paragraph)
Container Images: It describes your application and the container environment including the OS. You will usually Pull or store these images using “Container Registry”.
Containers: Instances where you run the container images in an isolated environment. Let’s you run multiple containers from the same image with same application and configurations.
Hosts: Machine where you are running your containers.
Orchestrator: It lets you manage your container lifecycle better known as ‘Pods’ including its provisioning, deployment, scaling, availability, networking and it’s other policies.
I would be covering all the security steps in my other posts but scope of this article is limited to Image Scanning.
If you look at the above flow diagram, then it is evident that images are like soul for containers. So, it will inherit all its characteristics including its short comings related to security vulnerabilities, malwares or even misconfigurations etc.
Hence, it is important to pay attention at this very first step of “Image Scanning” and remediate all the necessary vulnerabilities.
You can also bake image scanning into your CI/CD pipelines and can use the remediated images as “Base Image” or “Golden Image” for your Dev infrastructure.
The scanning tools usually gather the CVE score from multiple TI feeds like Kubernetes Official feeds, NVD, Canonical, Github etc and match it with the image components.
CVE Ref links:
- Alpine Linux SecDB: https://secdb.alpinelinux.org
- Ubuntu Security: https://people.canonical.com/~ubuntu-security/
- National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/data-feeds or K8s Specific.
- Github GHSAs: https://github.com/advisories
- RedHat Linux Security Data: https://access.redhat.com/hydra/rest/securitydata/
- Kubernetes.io: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
Now, comes the final part of jumping into the actual demo.
I am going to demonstrate “ Grype” for image scanning and would be using my GCP’s cloud instance for the Docker and Grype installation.
Grype, is an open source vulnerability scanner that is capable to scan both images and filesystems. Lot of companies are also using Grype + Syft for scanning. This is just demonstration and you might want to set it properly in your prod environment.
Syft lets you generate SBOM (software bill of materials) that is then used by Grype to find the vulnerability in the database.
SBOM is a list of open source and third-party components present in the specific code. There are multiple SBOM standards including OWASP CycloneDX and SPDX. If you want to read more then refer to wonderful article by Sysdig.
Setup your GCP VM and then install Docker and Grype as per the below.
Grype Installation:
sudo wget -qO — https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo bash -s — -b /usr/local/bin
You can also grype -h for Grype related help section.
grype wazuh/wazuh:3.13.5_7.9.2 -file <file_name>.logGrype — Picking CVEs:
Later, you can fix the vulnerabilities and create the base image that can be used in your environment.
Hope you find this article helpful; I am also working on writeup to provide details related to Kubernetes or GKE cluster scanning. Also, I will try to demo multiple open source tools for similar functionality.
Feel free to reach if any assistance is required or do let me know for any improvements in this article.
